Cybersecurity: How to protect critical infrastructure
September 30, 2022Berlin's top diplomat did not sugarcoat things.
To ensure that during a major cyber attack, people in Germany "can still use railways and receive medical treatment, and that police forces can still operate," the country needs to ramp up its cybersecurity measures, Foreign Minister Annalena Baerbock told government officials from around the world gathered for a conference in Potsdam this week.
"We need stronger and more resilient infrastructure," she said.
Her warning highlighted what officials at the event described as a worrying trend: Countries worldwide report an increase in cyberattacks against some of their critical infrastructure such as power grids, water suppliers, or government agencies — assets so vital to a nation’s security or economy that everything could collapse without them.
In August, cyber intruders crippled the IT infrastructure of Montenegro. In July, attackers brought down government websites in Albania. And in the spring, hackers paralyzed the computer systems of almost three dozen government agencies in Costa Rica — prompting the country to declare, for the first time in history, a national emergency because of a cyber attack.
Behind most of the attacks are cybercriminals who make billions by taking computers hostage and demanding a ransom to return access. But Germany’s foreign minister warned that states are also increasingly using cyberattacks as a powerful tool in military conflicts to weaken their enemy.
"Cyber technology has also become part of modern warfare, as we have seen in Russia’s war of aggression against Ukraine," Baerbock said.
Lessons from Ukraine
The experience of the besieged country provides new insights into how cyberattacks are used as a military weapon.
When Russia launched its invasion in February, the number of hacking attacks against targets in Ukraine or with links to the country simultaneously began to skyrocket, according to Oleksandr Potii, the deputy chairman of Ukraine’s Special Communication and Information Protection Service.
Ukrainian authorities later traced most of those cyber attacks back to state actors with ties to Moscow, Potii said. "While some of the attacks were performed by cyber criminals, they were often still coordinated by special services."
Whenever those hackers targeted critical infrastructure, their main goal was to cause as much damage as possible in order to sow chaos, he added.
That was illustrated by an incident involving US satellite firm Viasat. In a concerted effort, just before Russian tanks started rolling into Ukraine, cyberattackers crippled some of the company’s satellite connections — which Ukraine’s military used to command its troops, causing a setback for the country in the early hours of the war,
So far, the incident is considered the largest publicly known cyberattack on Ukraine’s critical infrastructure since February. But Potii stressed that authorities have since fended off several other attacks.
He warned that Ukrainian authorities — although they currently register a relatively low volume of hacking incidents — suspect Russia is preparing new cyberattacks on critical infrastructure. And he cautioned that pro-Russian attackers were also zeroing in on other countries in the West.
"We share the same enemy," he said. "And this enemy is prepared for the next attack."
How to fight back against cyberattacks
So, how do you make a country’s critical infrastructure more resilient against cyberattacks? Experts say a multi-pronged approach is necessary.
On the one hand, governments need to better protect their own systems from falling under the control of hackers, as seen in Albania, Montenegro or Costa Rica.
That is why Germany’s government is, for instance, currently overhauling the IT safeguards of its communication channels. The country is also setting up a data center outside its own territory to store critical information, which could serve as a massive backup if intruders managed to take over the systems.
But those public efforts can only do so much — not least because around the world, most critical infrastructure is owned and operated by private companies, as illustrated by the attack on satellite company Viasat.
Germany, like all members of the European Union, is therefore working on new rules to force providers of critical infrastructure such as energy companies or telecom firms to protect their systems with a certain standard of measures.
Similarly, the US passed a law this spring that will soon require providers to notify authorities quickly after discovering a hack.
Beyond those legal requirements, close cooperation between private technology companies and public officials will be essential, said Kemba Walden, the principal deputy national cyber director at the US White House.
"It is really the private sector who owns that space," she said.
Working together on cybersecurity
There is also a growing consensus among cybersecurity experts that like-minded countries should boost international cooperation in cyberspace.
"We can’t do it alone," said Christian-Marc Lifländer, the head of the cyber and hybrid policy section at NATO. "We all have different pieces of the puzzle, and that’s why information and intelligence sharing is key."
So far, law enforcement authorities have often been hesitant when it comes to exchanging information about cyber threats.
"There is room for improvement," acknowledged Sinan Selen, the vice president of Germany's domestic intelligence service.
But the recent spike in cyber incidents as well as a deteriorating global security environment has led to authorities sharing more intelligence, said Manuel Atug, a spokesperson for the AG KRITIS (Critical Infrastructure Working Group), an independent initiative of German critical infrastructure experts.
But while he called that "a good development," Atug also cautioned that "to make our critical infrastructure truly resilient against cyber attacks, we need a more holistic approach."
For decades, he added, Germany had missed its chance to raise more public awareness for cybersecurity, as well as to train a new generation of experts. "We should, for example, finally start teaching cybersecurity and coding skills in schools."
Speaking in Potsdam, German Foreign Minister Annalena Baerbock signaled that her government was aware of those shortcomings.
When she went to visit Kyiv earlier in September, she paid a visit to the country’s cyber security authority, where she was led into a room full of students between the age of 16 and 22-years old, she said.
"You are our true experts," she remembered telling them, adding that this should serve her country as inspiration to have "more courage to think outside of the box."
Edited by: Rob Mudge